Apr 1, 2024
Table of contents
Speed is good for a business. But famously, moving too fast tends to break things. And while speed can drive innovation, it can also land a startup in hot water with regulators, customers, and investors. Last year saw 3,205 publicly reported data breaches in the U.S., a number 72% higher than the previous all-time high, in 2021, according to one estimate. With breaches now costing on average $4.5 million globally, and $9.5 million in the U.S., there’s plenty at stake.
These incidents often arise due to failures in security policy, misconfigured systems, or other human-related errors. So from a CISO’s perspective, the challenge is managing security risk without impacting the velocity at which startups must move to get things done.
Security leaders that AccessOwl co-founder Philip Eller spoke to advocate differing approaches — from “hands-off” to blocking everything. But they share a common belief: engagement and transparency are the way forward, and the only way to mitigate shadow IT.
Vigilance is key
For Jarred White, Fractional CISO at cybersecurity advisory firm IOmergent, the risks associated with allowing staff unfettered access to resources are too great. He advocates restricting employees’ ability to download unsanctioned apps, and instead requiring them to request access programmatically or via a ticket each time they want to do so. This may cause a slight decrease in productivity but is worth the tradeoff.
“I would love them to be able to independently test and try these things. But you wind up with this sprawling amount of stuff that’s sucking up your data and you’re sending your data to, and IT doesn’t know; security doesn’t know,” he says. “I haven’t found, honestly, a good way to handle that, other than to require heavy change control processes and basically restrict individuals’ ability to do that.”
However, in the absence of formalized tooling to block downloads, this approach requires constant vigilance, he advises:
“You have to periodically go through and review the list of Slack plugins or JIRA plugins that have been installed, and then go run down those account owners and say, ‘Hey, why did you install this?’”
A proactive compliance approach
Coveo Director of Information Security Pierre-Alexis Tremblay posits a different approach: a tenet of “proactive compliance” based around education and engagement by the IT security function.
“We want people to understand why they shouldn’t use any type of tool lying around,” he says. “But that requires IT to develop a sales approach toward internal employees saying,‘You’ve already got three options for that type of system. Please try one of them first and then talk to us.’”
He adds that onboarding is a particularly important moment to get employees to understand and buy into this approach:
“I don’t want to have things more closed than they are. You don’t either. So please be sensitive, be clever about it, and don’t force my hand. We’ve already got the whole world to fight against; we don’t want to fight against our own employees.”
This isn’t to say that CISOs should blindly trust their employees. Tremblay says he still has systems in place to log and monitor user behavior, and to nudge them toward safer practices.
He agrees that startup culture is often directly opposed to what security is trying to achieve. But in fact, more control and standardization on fewer tools can sometimes help employees become faster and more productive, especially developers.
“One thing that we’re losing a lot of time on is all that duplicated work that comes from a bit too much flexibility,” Tremblay says. “Developers are like artists to me; they need space, and I want them to be creative. Their daily task is fixing problems and breaking walls. But at the same time, we don’t want them to lose too much time because they’re doing things multiple times.”
Rapyd Director of IT & Security Operations,Yudit Moldavsky takes a more holistic approach, perhaps because she manages IT for a global fintech unicorn. Her strategy is based on enabling security to do more than just advise — it also enables them to take action and block everything that isn’t on a strictly enforced allowlist. Employees must then request access from IT directly for each unapproved tool they want to use.
“Shadow IT happens because people don’t know that it’s wrong,” Moldavsky asserts. “When a service is blocked, they will start thinking why it is blocked, and they will reach out to my team, and we will solve the core issue they have, which could mean giving them a different, secure tool…. This is the best solution. It creates friction, but that’s fine when there is a functioning IT organization.”
She continues, “Many CISOs are afraid of creating any friction at all. Yet friction is a very effective way of setting safe boundaries and providing a sense of security for the organization. This approach also helps to make employees think harder about why certain apps and services may not be appropriate for work use.”
It’s also predicated on the idea of IT engaging with employees to find the best solution, albeit in a slightly different way to Tremblay’s.
Three ways to manage speed and security
The experts we spoke to had the following advice for balancing speed and security:
1. Create a culture of “security champions”
Novatti Group CISO George Abraham believes that building a security-first culture can deliver the best of both worlds, as it gives IT the confidence that employees can work at the speed they need to without breaking things. In fact, the CISO will know that they’ll proactively report any issues they come across.
“It’s not just people going, ‘I’m not going to click on the phishing test the security team sends every quarter.’ It’s more than that. I want people to come and report stuff to me,” he says. “I want them to come and tell me things, so we’ve got a conscious mission in the team. We want cybersecurity champions — sponsors outside of the management level.”
2. Get granular with security policy
IOmergent’s White suggests that CISOs could bifurcate processes and approval patterns depending on role and risk exposure, enabling some teams to move faster than others with fewer checks.
“You can say, ‘This part of the organization works this way, and this part of the organization works the other way,’ rather than having to apply a single policy to everyone,” he explains. “For example, engineers always get to turn off their antivirus — at least temporarily if they want to — because it interferes with building code and this kind of stuff.”
This approach is especially suited to larger organizations that have more clearly defined lines between teams.
“That’s really what you have to focus on — get very granular with your risk assessment and understand which groups are capable and which aren’t,” White adds.
3. Take it slow
If the CISO has to introduce changes to the way staff work, the most important prerequisite for success is that they do so in a measured way, Novatti Group’s Abraham concludes:
“If you try to introduce too many changes, then things won’t work. You have to pace the change, because the organization needs time to process it.”
He adds, “It’s like physical health. If you try to jump on a crash diet and run 10 kilometers every day, that’s too much change for your body to process, and it will break down. But cut out sugar and alcohol first, then progress to lifting weights and running a bit longer, and it becomes sustainable. You need cybersecurity to be sustainable.”